Introduction and Common Sense Rules
As the recent drama surrounding the NSA and its Prism program should remind us, we have a duty to ourselves to maintain our own privacy and security whenever possible. As such, it is my hope that with the aid of this guide you too can learn to take care of yourself and your data online. This guide is going to be focused on Windows users, since I anticipate that most of you are such. Linux users should find most of this pretty easily applicable though, aside from the methods of installation. Before we begin the more technical aspects, I would like to start out with a few ground rules.
The first thing to remember is to be very wary of trusting companies with your information. Not all companies will properly encrypt your data, and a very large amount of them will use it for marketing purposes, with or without your knowledge. Considering the first point, wherever possible, avoid reusing passwords between different applications and websites. You may well want to consider some sort of password manager to help facilitate this task, like the one found in Firefox. Considering the second point, it helps to have a secondary e-mail address you use solely for signing up for things; where applicable, you many want to consider a service like 10 Minute Mail to create disposable e-mail addresses.
Secondly, don’t click on random pop-ups and ads online, and never, ever install toolbars. At best, they invade your privacy. At worst, they end up being malware. Frankly, avoid most porn sites, as they tend to harbour a lot of nasty things, and avoid “free cursors” and “free games” ads; these tend to be thinly-disguised spyware or viruses.
Third, be careful with proprietary software and services. If they’re not transparent, there’s always the possibility of a back-door or severe flaw, and no one is allowed to fix it except the company, holding you hostage to it, essentially.
Lastly, always make sure that you browse responsibly and take care of your system. This includes keeping an up-to-date anti-virus program. Windows users should be fine with MalwareBytes and Microsoft Security Essentials in theory, though if you want to be more paranoid or are less skillful, I’ve heard good things about ESET, and last I heard AVG Free isn’t too awful; many of the other commercial ones are annoyingly bloated and some mess with your hosts file (a file that lets you blacklist websites at a system level), preventing you from going to certain websites they disagree with. A skilled user is unlikely to need their protection, but mistakes do happen. For the record, I’ve had Windows 7 since it came out and I’m still on my original install with no infections or system corruption.
Web Browser Enhancements
With that out of the way, let’s move on to the first line of defence: your web browser and its configuration. If you’re using Internet Explorer for your main browsing: don’t. Use Firefox instead. It’s open source, freely available, and of high quality. Additionally, Mozilla, the company behind Firefox, has an outstanding track record when it comes to campaigning for the good of the Internet and the common man. Firefox can be obtained from Mozilla free of charge. To begin with, we’ll want to make sure a few options are set in a certain way. Go and hit the menu button, then Options. Let’s go tab by tab:
In General, you may want to adjust the Startup option to whatever suits you. In Tabs, likewise. In Content, ensure that “Block pop-up windows” is checked. Ignore Applications; in Privacy, select “Tell sites that I do not want to be tracked”; this only applies to advertisers that opt-in to a voluntary program, but still covers a fair amount. With history, choose custom settings, and make sure that you disable accepting cookies entirely (we’ll enable them on a case-by-case basis later). Other settings here are up to you. In Security, ensure that attack sites and forgeries are blocked and that you are warned if a site tries to install an add-on. Additionally, should you want to take advantage of Firefox’s ability to remember passwords for different sites, check the “Remember passwords for sites” box and the “Use a master password” box. That second check box should not be considered optional, as without the master password feature your passwords are stored in plain-text, leaving them vulnerable to extraction by rogue scripts, etc. You should only have to enter the master password once per session, so it’s not a terribly big burden. Moving on to the Advanced tab, under Data Choices, choose what you’re comfortable with. This should conclude the basic configuration. Now, we’re going to need to set a few advanced options. To do so, open a new tab, type “about:config” in the address bar, and hit enter. Assure them that you know what you’re doing, and then, in the search bar that appears, type “geo.enabled”; set this to False to disable geolocation. Then, find “keyword.url” and change it to either
"https://startpage.com/do/search?q=". For my part, I happen to really like Startpage because it gets most of its results through Google, but using itself as a proxy so you don’t get caught up in the trap of a search bubble (you’ll notice that if two different people google the same thing, they can get different results based on how Google has been tracking them; for instance, conservatives tend to get conservative results on political topics while liberals get more liberal results) and it also includes a built-in proxy you can use to visit any site so that that site doesn’t know that you visited. It also promises to keep no data on you whatsoever, which is a huge plus. DDG behaves very similarly and seems to also have excellent privacy policies, only they do their own work and don’t use Google at all, from what I gather. Either one is certainly a much better alternative from a privacy point of view. This should be good enough for now; go ahead and close that new tab once you’re finished.
Firefox pretty well pioneered the idea of extensions, and to this day it maintains an incredible amount of them, which is one of its greatest strengths. There are several we’re going to want to grab for the sake of privacy and security. A few of these are a bit advanced and may cause a bit of frustration from time to time, but a minor loss of convenience is a small price to pay for better security. To install an add-on, click the menu button, then click “Add-ons”. From there, you can search for new add-ons and configure existing ones.
The extensions you should consider include:
- Adblock Plus
- Cookie Monster
- FoxyProxy Standard
While installing these, Firefox will prompt you to restart; don’t bother until all of them are installed and configured, as detailed below. To find them after installation, go to the Extensions page on the left of that same screen.
With Adblock, you’ll want to get Easy List as well as EasyPrivacy; to add these, go to the options for ABP and click “Filter Preferences”; from there, click “Add Filter Subscription”; Easy List should show up in that listing. To add EasyPrivacy, click “Add a different subscription” in that same menu, and then find EasyPrivacy. Alternatively, just
navigate to the bottom of the tab that opens immediately after installation and turn the
three sliders at the bottom to the “on” position. You may also want to consider adding the “Element Hiding Helper for Adblock Plus” extension; this makes it easier to say, hide that trending topics area on Facebook, etc.
With BetterPrivacy, you may want to adjust its options to delete the cookies on every shutdown, quietly. This plugin deals with Flash cookies, which aren’t treated the same as regular cookies in a lot of cases, and are very annoying at times.
Now, with Greasemonkey, one needs to be very careful, as it allows user-made scripts from anyone to be run, and there’s a lot of jackasses on their site that abuse this fact. However, we’re going to use a certain script that prevents sites from interfering with the ad-blocker we installed, and another script that disables some annoying “features” of certain websites. Those scripts are, respectively, Anti-Adblock Killer and Anti-Disabler. Merely click the green Install button to add these scripts.
It’s rare, but occasionally some sites will malfunction while these scripts are activated, but you can disable them selectively from the Greasemonkey menu.
We’re going to ignore FoxyProxy for now, but come back to it later. Blender is unique in that it doesn’t require a restart to use; what it does is set your user-agent to mimic that of the most common Firefox setup, making you “blend in” with other traffic. The user-agent string is what shows your browser, its version, your operating system, and other things that are often surprisingly unique, depending on the sites you go to and what their usual traffic is. Ideally, this should be okay to leave on on a regular basis, but if a site is complaining about your version for some reason, try disabling that (after making sure the three extensions named above are properly configured).
For completion, HTTPS Everywhere does just what it says on the tin: attempts to force HTTPS connections on supported sites instead of plain-text HTTP. This is the desired behaviour in 99.9% of cases. It can also optionally send sites you visit to an observatory database for further analysis, but this is up to you.
With that, Firefox should be good to go; go ahead and restart it and play with it a bit; just don’t forget about those 3 extensions. If your bottom panel with them is not visible, press Ctrl+/ to toggle it. Don’t forget that you can customise the layout if it’s getting a little crowded.
One of the best things you can do for your privacy and security is to move to more open software and platforms where possible. While Firefox is a great start, there’s a few more categories of software that need to be addressed, and that’s going to lead us into another topic: general encryption.
Without encryption, anyone can see your traffic, including what pages you visit and what you say on chat. As this is undesirable, let’s see about getting some software on here that prevents these problems. This is a very involved topic, so I’m going to keep it focused on browsing, chat, and e-mail for the time being.
Browsing with Tor
First, the browsing. Remember how we installed FoxyProxy? What this does is allow us to use a proxy to access web pages instead of doing so ourselves. You can either load it with a free proxy you find yourself, with, for instance, an SSH tunnel (if that’s beyond you, don’t worry about it), or even better, Tor. Tor is a service that allows for a computer to randomly connect to several others on a circuit, each carrying traffic from the original request, knowing only which system directly preceded them and where they’re going to send it, creating a reliable bit of anonymity. Before we configure FoxyProxy, we ought to install the Tor Browser Bundle. This includes both a custom version of Firefox designed to work well with Tor as well as a program called “Vidalia” that we can use outside of the bundle for use with FoxyProxy. Why have two different browsers? For maximum flexibility. Our configuration, while blocking a lot of trackers, ads, and other unsavoury things, makes us rather unique relative to other browsers, making us easier to fingerprint in general. In cases where this is important, we can trade off these scripts and enhancements for the sake of blending in better, which the bundled browser is quite good at. At any rate, download the executable and have it install to somewhere convenient, like perhaps the Desktop. The bundle is self-contained and doesn’t need a proper installation. To use it, merely execute “Start Tor Browser.exe”. Should you wish to use it with our normal version of Firefox, go into the App folder, execute “Vidalia.exe”, and then hit “Settings”. From there, ensure that “Start the Tor software when Vidalia starts” box is checked, and change the path there to “.\tor.exe”, so that it knows to look in the same folder to find Tor. This only needs to be done the first time; after that, it should be automatic. When done, click the Start Tor button and watch the show. Afterwards, in Firefox, right-click the FoxyProxy icon that should be in your bottom panel and hit “Options”. Then, File -> Tor Wizard. Answer “without” to the bit about privoxy, and accept the defaults. On the final screen, remove the Google Mail filter by clicking it and hitting “Delete Selection”, then create a new one with “Add New Pattern”. Name it “All” and put a * in the URL field; hit OK. To use Tor with FoxyProxy now, simply right-click the FoxyProxy icon and select “Use proxy Tor for all URLs”. Don’t forget to unset the proxy when you’re done.
Regardless of which way you choose to do this, you can test to see if you’re using Tor by opening a new tab and going to Tor’s checker, which the dedicated browser will open to automatically; note the number that shows up, as well as the message. If you choose to use a New Identity via Vidalia’s panel and refresh this page, along with the confirmation message you should also see a new IP Address. Note that browsing with Tor is a lot slower than browsing normally. It is also worth mentioning that Tor works really nicely in Private Browsing mode, which by default doesn’t store any history and deletes cookies upon closing, if you go the FoxyProxy route.
If you can spare the resources, it would be helpful if you could adjust your Vidalia settings to run as a relay, to help other users. An internal relay doesn’t allow people to use you to visit websites directly, but lets you help people reach systems that will, and is a real help. I run a Tor node myself off of my laptop when at home; it runs as long as Vidalia is active in the system tray. If you prefer to use the dedicated browser instead of FoxyProxy, it doesn’t seem to hurt anything to run two instances of Vidalia, one for running a relay and one for browsing. The second instance will close automatically when the dedicated browser is closed.
When using Tor, be careful and be courteous. Don’t try to use it to view bandwidth-intensive things like video, for instance. Also, remember that you can make a new circuit at any time by hitting “New Identity” in the Vidalia window. Tor is not perfect protection, so try not to do anything too stupid.
Encrypting DNS Traffic with DNSCrypt
As a small, additional layer of security, and to likely improve your web performance in general, we may as well set up OpenDNS + DNSCrypt. DNS is the thing that turns things like 22.214.171.124 into “google.com” and back, simply put. You normally get your DNS resolver from your Internet Service Provider (ISP), but nothing is stopping you from using any number of different ones. The advantages include possible speed increases, lack of censorship, and in this case, DNS requests that are encrypted between your system and OpenDNS’ resolvers, preventing spying, spoofing, or main-in-the-middle attacks. Luckily, it’s wonderfully simple and all but automatic on a Windows machine. Simply head to their website and download the software, following the prompts. If all goes well, you should get a little green icon in your system tray, and it should be set to start up when you reboot your system too. To test that it’s actually working, head to this page. If it says “Welcome to OpenDNS”, you’re good to go. Linux users can follow the instructions on their site; it’s not a difficult install, but remember that you’ll need to compile and install libsodium in the process. You should also add it as a startup process; cf. this page for details. You may need to manually adjust their script’s path though, depending on how you installed dnscrypt.
Encrypted Chat with OTR
Encrypted browsing is nice, but the big thing about the Internet is communication. Given that, we want to be able to talk to people without other people interfering. While I don’t have any solutions for group chat beyond a secure Mumble or IRC server, I know that for 1:1 text-based chat, OTR is pretty awesome. OTR, or “Off-The-Record” messaging, is a protocol that relies on both parties creating certain “keys” that are compared along with a certain randomised bit of math for each conversation. This means that if someone’s key changes, you’ll know it’s not the same setup and potentially not the same person. This also means that each chat session is encrypted uniquely, so if one chat session is somehow cracked, all past and future ones should be fine.
An excellent program for this sort of thing would be Pidgin. Pidgin is the primary front-end for the libpurple programming library, which allows for a single program to connect to almost all known chat services, and which is further extendible via plug-ins. Because of this fact, and its constant development, it makes an ideal platform for trying out OTR. Once Pidgin itself is downloaded and installed, you’ll want to pick up the OTR plug-in. Once that is installed, go ahead and open Pidgin. While it is worth poking around in the settings and plug-in options and adjusting them to your taste, the most important thing to focus on initially is setting up your accounts and OTR.
First, go to Accounts -> Manage Accounts. Click “Add…” and follow the prompts. When adding a Facebook account, you’ll need your custom URL; to get your unique instructions specifically for Pidgin, please see this page. Upon setting everything up, you’ll then need to go to Tools -> Plugins. From there, scroll down until you find “Off-the-Record Messaging”. Ensure that the box next to it is ticked, and then hit “Configure Plugin”. For each account that you enabled previously, select it from the drop-down box and hit “Generate”. This may take some time. Under the “Default OTR Settings” heading, ensure that “Enable private messaging” and “Automatically initiate private messaging” are checked, as well as “Show OTR button in toolbar”. Whether or not to log the conversation is up to you. If you prefer not to log even plain-text conversations, poke around in the main Pidgin settings to turn that off.
Once this is complete, the next time you communicate with someone that also is using this setup, you’ll automatically try to enable OTR; you can also do so manually by clicking the red text on the screen that says “Not Private”; this will allow you to manually start the session. The first time you talk to someone, or if their key changes for whatever reason, you’ll have to authenticate them. Merely follow the prompts to do so. If you’re confident it’s really them, just manually verify their fingerprint with the drop-down boxes, else type a challenge question that they should know the answer to. Any time after this this step will be unnecessary, unless, again, their key changed. Congrats, you’ve got high-tier encryption and a convenient interface for all of your chat networks, including Twitter (with a plug-in), GMail chat, AIM, and Facebook, among others. Well, almost all. What about encrypted video chat, like Skype?
Encrypted Video Chat With Jitsi
Since it’s been discovered that Microsoft actively monitors at least the text-based chat within Skype (allegedly for consumer protection), and since this raises questions of potential back-doors and taps, since the software is by no means open source, I strongly suggest turning to Jitsi, an open source alternative to Skype. Please note that it is not compatible in any way with Skype due to Skype’s proprietary nature. Jitsi is written in Java, meaning that it’s fairly easy to port to different operating systems, including Windows and Linux, making it pretty consistent across the board. More importantly, it uses ZRTP for encryption, which was created by one of the guys behind PGP, the encryption scheme we’ll set up for e-mail a bit later in this document, and which apparently works in a similar manner to OTR encryption, discussed above. You can sign up for an account on Jitsi’s main site, and it’s not at all difficult to set up; just install it and follow the prompts. When you go to set up your Jitsi account via File -> Add New Account, remember that you’re using XMPP, and want to have the user name you signed up with on their website handy; it’ll be in the form of “userName@jit.si”. Like Pidgin, it can handle several other chat networks and actually supports OTR, though Pidgin is infinitely more extensible and flexible and for that reason I recommend Jitsi more for the Skype-like features than for general chat. Of course, it’s entirely up to you.
Using PGP to Sign and Encrypt E-Mails
Moving on, this is the final section of this guide, and it is among the most complex. What we’re going to do here is set up a system of encryption and verification used for e-mail, along with a client for reading e-mail locally. In this guide, you’ll have two choices: Claws Mail or Mozilla Thunderbird; I’ll provide instructions for both. The difference is a matter of taste and resource-usage, basically. Claws is lightweight (Takes about 10 MB of RAM) and simple, while Thunderbird is a little heavier (takes about 54 MB of RAM) but with a lot of additional features (like integrated chat, though the only way to get OTR with it at present is to connect to a Bitlbee server, but that’s beyond the scope of this guide unless someone is really wanting to do this) and a different feel, more like a web browser. Claws Mail is slightly more involved when it comes to setting up your e-mail accounts, but Thunderbird requires an additional plug-in before it can be used with PGP. I guess it balances out. Claws Mail will come bundled with our PGP pack, while Thunderbird can be obtained from Mozilla’s website. You may also need to go into your e-mail provider’s settings and allow for third-party clients to use POP3 or IMAP. I’ll give instructions for GMail, since that’s what I currently use. POP3 is the more traditional style where you download your e-mails locally, usually to one client but potentially to several if you have “recent mode” enabled; mail can then be either archived on the e-mail provider’s site or deleted from their servers afterwards (either immediately or after a set amount of time). IMAP is a bit more modern and basically uses your mail client as a front-end to their mail server, keeping everything on their end and generally little beyond cache on yours. It’s up to you to decide which way you prefer to handle things. Personally, I tend to prefer POP3, because then I can create local filters for handling my mail and because I can then read my mail even when I’m not online with no additional setup, but whatever works for you is what you should do.
First, let’s set up the e-mail account on your provider’s end. If you don’t have GMail, try to think laterally and look for similar-sounding items in your e-mail provider’s settings pages. Basically, what you want to do is go to your provider’s general account settings and look for a tab or section along the lines of “Forwarding and POP/IMAP”. From there, you should be able to enable POP for “all mail ever”, which is great if you want to make a local backup, or for “mail that arrives from now on”, which is probably ideal. You should also be able to determine what the server does after the messages are accessed with POP; I have mine set to “archive GMail’s copy”, which takes it out of my inbox view but still maintains it in “All Mail”. Other options include keeping it in the inbox (I think as unread), marking it as read (presumably keeping it in the inbox), or deleting it. This same screen can generally also set up IMAP, which follows a similar pattern. After adjusting your settings to what you feel is best for your use-case, we can move on to installing GPG itself (along with Claws, should you want to go that route instead of Thunderbird).
A bit of background: GPG is the “GNU Privacy Guard”, a GNU implementation of PGP (Pretty Good Privacy), with GNU being the software produced by the Free Software Foundation, a recursive acronym meaning “GNU is Not Unix”; GNU provides the basic software for a Linux distribution along with many other useful projects. Regardless, the way this works is basically that you generate a “public” and a “private” key that are related to each other to a degree, but not to such a degree that you can reverse-engineer the private from the public. Basically, you can use other people’s public keys to encrypt a message that can only be read by their private key, or, effectively, just them, which is the general idea (You can also encrypt with your own public key so that you too can read that message, and you can also use this feature to encrypt files locally). Additionally, you can “sign” a message with your private key, which doesn’t give away your private key at all, but creates a hash of the message you’re sending, so that if it’s modified in transmission it will be obvious to the receiver; the message itself isn’t necessarily encrypted by doing this, however, and it bears mentioning that the subject line of an e-mail is _never_ encrypted, at least by software (nothing is stopping you from doing your own cypher by hand on it if you want, I guess). Please ensure that you keep your private key somewhere safe; a lot of people keep it on a secure USB drive and then insert it when they need to use it.
At any rate, let’s get on to the fun stuff. First, download the nicely-packaged GPG4WIN installer. As you install, you’ll have a few choices. You should be able to install two front-ends for GPG, namely “GPA” and “Kleopatra”. I prefer GPA for its more user-friendly interface given our current task; you may want to install both and experiment later. This is also where you can choose to install the lightweight Claws e-mail program; do so or not at your discretion. I recommend also installing GPGEx, to add relevant menu items to your Windows right-click menu, and perhaps the documentation (the compendium part). Uncheck the GPGOl part, because screw Outlook. As you continue, you’ll see some stuff about S/MIME. I don’t think that’s important for what we’re doing here, unless I’m mistaken, so feel free to ignore everything there and just check the box. After everything is done, find the GNU Privacy Assistant (GPA) program and open it. Then, hit Keys -> Generate New Key and follow the prompts. Be careful when choosing a passphrase; make it long and include different types of characters. Now, to actually make use of this and send people encrypted e-mails, you’ll need to trade public keys with them; this can be easily accomplished by exporting and importing the keys via the File menu; you can e-mail, DCC, put it on USB, whatever. Alternatively, you can put it on a keyserver, though that is somewhat outside the scope of this for now.
Of course, to actually send e-mail, we need to set up our e-mail program, the final step. Again, I’ll offer instructions for both Claws Mail and Thunderbird, beginning with the former; feel free to skip ahead to the Thunderbird section if you prefer to use that instead:
Setting Up Claws Mail
Upon loading Claws for the first time, it will launch a setup wizard. The second screen will have you input your name (which will appear in the “From” field in your e-mails) and your e-mail address. The third screen will ask you to choose your server type and input the address for it along with your user name and password. If you’re using GMail, the basic POP address is pop.gmail.com and the IMAP address is imap.gmail.com. The username should be self-explanatory; it’s the part of your e-mail address before the @. Make sure you that tick the box that says “Use SSL to connect to receiving server”. Don’t worry too much about STARTTLS. If you don’t put in your password here, you’ll need to enter it every time you download mail, I believe, which makes automation impossible. On the fourth screen it’ll ask for your SMTP server; this is the thing that deals with sending mail. If you’re using GMail, you want smtp.gmail.com. Leave the “Use authentication” box alone so it’ll import those settings from the previous screen, but make sure to hit “Use SSL” again. On the next screen, you can name your mailbox. Once that’s complete, hit Save. Try hitting “Get Mail”; if you receive no error messages, you should be good to go. Either way, you should see one mail in your new inbox welcoming you to Claws.
Now, hit Configuration -> Preferences for Current Account” and go down to Send. Ensure that “SMTP Authentication” is checked, then go to Privacy. Make sure that “Always sign messages when replying to a signed message”, “Always encrypt messages when replying to an encrypted message” and “Encrypt sent messages with your own key in addition to recipient’s” are checked, and set the default privacy system to PGP/MIME. If you have multiple accounts with multiple GPG keys, make sure you go to the GPG section and set the proper one; hit Apply. Next, go to Receive under the Account heading and uncheck the “Remove messages on server when received” or adjust as necessary, should you be using POP.
From here, you may want to go into Preferences -> Plugins -> GPG and tell it to automatically check signatures, and, optionally, store your passphrase for a given amount of time; setting it to 0 means you only have to enter your passphrase on the first e-mail you send, so long as you don’t close Claws. You may also want to allow it to grab input when asking for the passphrase so you don’t accidentally type it somewhere else, and to display warnings if things go amiss. While you’re there, you may want to go under the Compose heading and change your spell checker from the default German to English. You may also want to look under Message View for Text Options; by default Claws doesn’t render HTML elements in e-mails (as it is classically considered annoying to send HTML e-mails where plain text will do, and also because HTML can lead to security loopholes; for instance, they can imbed a link to an image on a page, and if you view the image they know you saw the e-mail), and you may want to adjust that behaviour. To enable automatic checking for mail (assuming you don’t mind leaving Claws open), go into the Receiving options. On that note, if you go to Configuration -> Plugins and hit Load, you’ll notice you have a DLL file called “notification.dll”. Load it, then go back to the Preferences and look for the new entry about it; from there you can configure the type of notification you will receive when a new mail comes in, and if you look around, you’ll notice you can enable Claws to “close to the system tray” so that it doesn’t take up space on your taskbar. To close it for good, just close it with the File menu.
Finally, to actually sign or encrypt your messages, take a look at the Compose window. Go to Options -> Sign and/or Options -> Encrypt, which will put a check mark next to the selected items; from there, simply write and send the message as usual. Aside from poking around and setting things up to your liking, everything is good to go.
Setting Up Thunderbird
Thunderbird, upon first launch, will launch a setup wizard. It is amazingly simple and should auto-detect everything needed in most cases from the information you provide it. You’ll obviously want to start out by clicking “Skip this and use my existing email”, though. After the basic setup is complete, we’ll need to grab a plug-in quick. To do that, click the Chrome-like menu button in the upper right and hit “Add-ons”. In the search bar, search for and install Enigmail. While we’re at it, consider grabbing “MinimizeToTray revived” if you want Thunderbird to listen for new e-mails constantly. Afterwards, restart Thunderbird to initialise the plug-ins.
With that taken care of, click your account, then hit “View settings for this account”. Under “Server Settings”, you’ll want to adjust the “leave Messages on server” settings as appropriate, as well as the message-checking settings if you want it to automatically check for new mail. Under “Composition & Addressing”, you may want to disable composing e-mail in HTML format if you have no real need for fancy stuff, as needless HTML is considered impolite. Then, head over to “OpenPGP Security” and tick the box there; you may also want to tick the other boxes there according to your preferences, with the exception of “Use PGP/MIME by default”. Definitely check that one. Then, you can choose to let it figure out which key to use based on the e-mail address you’re sending with or assign one specifically. When done, hit OK. After this, there’s one random setting we should hit, that being in the general Options, found again under the Chrome-like menu button. Under Security -> Web Content, hit the “Do not track” box, in case you end up using Thunderbird to track RSS feeds or anything of the sort.
Finally, to actually sign/encrypt messages, go to the compose view (the “Write” button), make your e-mail as normal, and then use the OpenPGP menu item. Do _not_ confuse this with the encryption options in the “Options” menu next to it, as this is a different thing that we’re not actually using.
From this point, everything should be basically good to go, aside from any customisation you want to do. Remember that if you installed that other extension that you can hit the minimise button to send Thunderbird to the system tray.
And with that, I conclude this not-so-brief tutorial. Thanks for bearing with me, and I hope it was helpful. If you have any comments or suggestions, please feel free to post.